b"Report No. D-2008-101          June 6, 2008\n\n\n\n\n      General Controls Over the Standard\n     Accounting, Budgeting, and Reporting\n               System (SABRS)\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Department of\n  Defense Inspector General at http://www.dodig.mil/audit/reports or contact the\n  Secondary Reports Distribution Unit at (703) 604-8937 (DSN 664-8937) or fax\n  (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Office of the Deputy\n  Inspector General for Auditing at (703) 604-9142 (DSN 664-9142) or fax (703)\n  604-8932. Ideas and requests can also be mailed to:\n\n                       ODIG-AUD (ATTN: Audit Suggestions)\n                       Department of Defense Inspector General\n                         400 Army Navy Drive (Room 801)\n                             Arlington, VA 22202-4704\n\n\n\n\nAcronyms\nCIO                   Chief Information Office\nDFAS                  Defense Finance and Accounting Service\nDISA                  Defense Information Systems Agency\nDITSCAP               Department of Defense Information Technology Security\n                         Certification and Accreditation Process\nFISMA                 Federal Information Security Management Act\nIT                    Information Technology\nNIST                  National Institute of Standards and Technology\nOMB                   Office of Management and Budget\nPMO                   Program Management Office\nSABRS                 Standard Accounting, Budgeting, and Reporting System\nTASO                  Terminal Area Security Officer\nUSMC                  United States Marine Corps\n\x0c                                 INSPECTOR GENERAL\n                                 DEPARTMENT OF DEFENSE\n                                   400 ARMY NAVY DRIVE\n                              ARLINGTON, VIRGINIA 22202-4704\n\n\n\n                                                                            June 6,2008\n\n\nMEMORANDUM FOR DIRECTOR, DEFENSE FINANCE AND ACCOUNTING\n                   SERVICE\n               NAVAL INSPECTOR GENERAL\n               ASSISTANT DEPUTY COMMANDANT FOR PROGRAMS AND\n                  RESOURCES (FISCAL), UNITED STATES MARINE CORPS\n\n\nSUBJECT: General Controls Over the Standard Accounting, Budgeting, and Reporting\n         System (SABRS) (Report No. D-2008-101)\n\n\n       Weare providing this report for review and comment. We considered comments from\nthe Defense Finance and Accounting Service when preparing the final report.\n\n        DoD Directive 7650.3 requires that all recommendations be resolved promptly. The\nDefense Finance and Accounting Service comments were partially responsive. We request\nadditional comments on Recommendations A.1.a, A.1.d, A.2.a, A.2.b, A.2.d, A.2.e, B.1.a,\nB.1.b, B.2.b, B.2.c, B.2.d, B.2.e., B.2.f, B.3, B.4.b, and C. Therefore, we request that the\nChief Information Officer, Defense Finance and Accounting Service provide comments by\nJuly 7,2008.\n\n        If possible, please send management comments in electronic format (Adobe Acrobat\nfile only) to AudDFS@dodig.mii. Copies of the management comments must contain the\nactual signature of the authorizing official. We cannot accept the / Signed / symbol in place of\nthe actual signature. If you arrange to send classified comments electronically, they must be\nsent over the SECRET Internet Protocol Router Network (SIPRNET).\n\n        We appreciate the courtesies extended to the staff. Questions should be directed to\nEdward A. Blair at (216) 706-0074 ext. 226 or Ms. Cecelia M. Ball at (816) 926-8501 ext. 222\n(DSN 465-8501). The team members are listed inside the back cover. See Appendix C for\nthe report distribution.\n\n\n\n                                    ..~ a,!r)~\n                                  Patricia A. Marsh, CPA\n                                Assistant Inspector General\n                             Defense Financial Auditing Service\n\x0c\x0c               Department of Defense Office of Inspector General\nReport No. D-2008-101                                                      June 6, 2008\n  (Project No. D2006-D000FC-0068.000)\n\n             General Controls Over the Standard Accounting,\n               Budgeting, and Reporting System (SABRS)\n\n                                Executive Summary\n\nWho Should Read This Report and Why? DoD personnel who manage and use the\nStandard Accounting, Budgeting, and Reporting System (SABRS) should read this\nreport. This report discusses whether the SABRS general controls were adequately\ndesigned and operating effectively.\n\nBackground. SABRS is the accounting system used by the Defense Finance and\nAccounting Service Kansas City to standardize accounting, budgeting, and reporting\nprocedures for the United States Marine Corps (USMC) general fund. The USMC\nreported $27,155 million in assets and $2,255 million in liabilities on its FY 2006\nBalance Sheet. This audit was conducted to determine whether the Defense Finance and\nAccounting Service Kansas City ensures general control standards issued by the Office of\nManagement and Budget, the National Institute of Standards and Technology, and DoD\nwere implemented and operating effectively for SABRS.\n\nResults. Controls over SABRS security management and operations are ineffective\nbecause the Defense Finance and Accounting Service Chief Information Officer did not\nassign clear security responsibilities to the SABRS Program Management Office\n(finding A), the SABRS Program Management Office did not provide assurance that\nSABRS security was effective because it did not coordinate with all responsible parties\n(finding B), and Defense Finance and Accounting Service Accounting Services-Marine\nCorps and Defense Information Systems Agency did not have an approved Service Level\nAgreement because Defense Finance and Accounting Service did not sufficiently\ncoordinate with the Defense Information Systems Agency to complete the approval\nprocess (finding C). See the Findings section of the report for the detailed\nrecommendations.\n\nManagement Comments. The Director, Information and Technology, Defense Finance\nand Accounting Service concurred with all recommendations except one. We considered\nsome corrective actions responsive to the intent of the recommendations. No further\ncomments are required for those recommendations. We reiterated other\nrecommendations to the Chief Information Office, Defense Finance and Accounting\nService and the Program Management Office because comments were nonresponsive and\npartially responsive.\n\x0cWe request that the Chief Information Office, Defense Finance and Accounting Service\nand the Program Management Office comment on the final report by July 7, 2008. See\nthe Findings section of the report for a discussion of management comments and the\nManagement Comments section of the report for the complete text of the comments.\n\n\n\n\n                                          ii\n\x0cTable of Contents\n\nExecutive Summary                                                         i\n\nBackground                                                                1\n\nObjectives                                                                2\n\nFindings\n     A. Standard Accounting, Budgeting, and Reporting System Security\n          Management                                                      3\n     B. Program Management Office Security Coordination                  15\n     C. Defense Finance and Accounting Service and Defense Information\n          Systems Agency Service Level Agreement                         22\n\nAppendixes\n     A. Scope and Methodology                                            24\n     B. Security Plan Comparison                                         26\n     C. Report Distribution                                              32\n\nManagement Comments\n     Defense Finance and Accounting Service                              35\n\x0c\x0cBackground\n\n    The Chief Financial Officers Act of 1990 (Public Law 101-576), as amended,\n    mandates that agencies prepare and conduct audits of financial statements. Under\n    Secretary of Defense (Comptroller) guidance implementing the Chief Financial\n    Officers Act of 1990, as amended, requires the United States Marine Corps\n    (USMC) complete stand-alone General Fund and Working Capital Fund financial\n    statements.\n\n    The Defense Finance and Accounting Service (DFAS) Kansas City is responsible\n    for reporting the USMC financial statement data to the Department of the Navy.\n    These financial statement data are ultimately included in the DoD consolidated\n    financial statements. The USMC relies on DFAS Kansas City\xe2\x80\x99s assurances\n    regarding the controls used to prepare the USMC financial reports and its\n    financial statements. The USMC reported $27,155 million in assets and\n    $2,255 million in liabilities on its FY 2006 Balance Sheet.\n\n    The Standard Accounting, Budgeting, and Reporting System (SABRS) is a\n    computer-based information system designed to standardize accounting,\n    budgeting, and reporting procedures for all general funds accounted for by the\n    USMC. SABRS produces general data to support automated and auditable\n    financial statements. It facilitates the preparation of financial statements and\n    other financial reports in accordance with Federal accounting and reporting\n    standards.\n\n    DFAS Kansas City, Accounting Systems Branch owns and manages SABRS. As\n    the owner, it is required to review and maintain the SABRS security policy. The\n    USMC Fiscal Director is the functional sponsor. As a functional sponsor, USMC\n    uses SABRS to record and account for financial data that it owns and processes.\n    DFAS Technology Service Organization developed and maintains the SABRS\n    system. The System Management Center, Mechanicsburg, Pennsylvania,\n    provides SABRS processing support, and the System Management Center, St.\n    Louis, Missouri, provides SABRS hardware support.\n\n    Federal agencies, Congress, and the public rely on computer-based information\n    systems to provide data about agency programs, manage Federal resources, and\n    report program costs and benefits. The Federal Information Security\n    Management Act of 2002 (FISMA) assigns specific responsibilities to Federal\n    agencies, the National Institute of Standards and Technology (NIST), and the\n    Office of Management and Budget (OMB) to strengthen information system\n    security.\n\n    FISMA requires the head of each agency to implement policies and procedures to\n    cost-effectively reduce Information Technology (IT) security risks to an\n\n\n                                         1\n\x0c    acceptable level. Additionally, the head of each agency is to appoint a Chief\n    Information Officer (CIO) responsible for developing and maintaining an\n    agency-wide information security program. Agency-wide information security\n    programs should include subordinate plans for providing adequate information\n    security for networks, facilities, and systems or groups of information systems, as\n    appropriate. The DFAS CIO has tasked the SABRS PMO with ensuring adequate\n    information security for SABRS.\n\n    FISMA directs NIST to develop IT security standards and guidelines and directs\n    each agency to implement an information security program. FISMA requires that\n    the OMB oversee IT security policies and practices across all Federal agencies.\n    NIST works collaboratively with OMB to develop standards and guidelines to\n    achieve cost-effective security and privacy of sensitive information in Federal\n    computer systems. Agencies, like DFAS, must follow NIST standards and\n    guidance for non-national security programs and systems.\n\n    The Office of the Assistant Secretary of Defense directed the Defense-Wide\n    Information Systems Security Program to create standardized requirements and\n    processes for accreditation of computers, systems, and networks. DoD\n    Instruction 5200.40 established the DoD Information Technology Security\n    Certification and Accreditation Process (DITSCAP). The DITSCAP Manual\n    (DoD 8510.1-M) presents the detailed requirements for completing the\n    certification and accreditation process.\n\n    Computer-related controls help ensure the reliability, confidentiality, and\n    availability of automated information. General controls are the policies and\n    procedures that apply to an entity\xe2\x80\x99s information systems and help ensure their\n    proper operation. Primary objectives for general controls include safeguarding\n    data, protecting computer application programs, preventing system software from\n    unauthorized access, and ensuring continued computer operations in case of\n    unexpected interruptions. The effectiveness of general controls is a significant\n    factor in determining the effectiveness of application controls. Without effective\n    general controls, application controls may be rendered ineffective by\n    circumvention or modification. General and application controls become more\n    critical when functions are transferred to other DFAS locations as DFAS Kansas\n    City is scheduled to close under the Base Realignment and Closure.\n\n\nObjectives\n\n    Our overall audit objective was to assess the integrity, confidentiality, and\n    availability of data reported by SABRS. Specifically, we determined whether the\n    general controls over SABRS were adequate. We did not evaluate the application\n\n\n\n                                         2\n\x0ccontrols over SABRS because of the lack of general controls identified. See\nAppendix A for a discussion of the scope and methodology.\n\n\n\n\n                                    3\n\x0c            A. Standard Accounting, Budgeting, and\n               Reporting System Security\n               Management\n            Controls over SABRS security management and operations were\n            ineffective because the CIO did not assign clear security responsibilities to\n            the Program Management Office (PMO). Specifically:\n\n                   \xe2\x80\xa2   the SABRS security management structure did not ensure\n                       proper segregation of duties and security responsibilities;\n\n                   \xe2\x80\xa2   the CIO did not clearly delegate the authority and duty to\n                       responsible parties to develop approved policies and\n                       procedures for SABRS IT security operations;\n\n                   \xe2\x80\xa2   the CIO did not clearly assign an office the responsibility for\n                       the IT security and control requirements; and\n\n                   \xe2\x80\xa2   software waivers and license agreements were not maintained\n                       to assure personnel that only authorized software was loaded\n                       on computers which can be used to access SABRS.\n\n            Ineffective controls over SABRS security management and operations\n            increase the vulnerability of SABRS IT resources and are detrimental to\n            an effective information security program.\n\n\nProper Segregation of Duties and Responsibility\n\n     The SABRS security management structure lacks proper segregation of duties and\n     security responsibilities. The CIO did not ensure that the Terminal Area Security\n     Officer (TASO) duties were independent from operations. The CIO did not\n     include clear security responsibilities in the PMO personnel job expectations.\n\n     TASO Segregation of Duties. TASOs create and assign user IDs and set user\n     privileges for SABRS. TASOs report to DFAS operations instead of to a separate\n     DFAS office. The current reporting hierarchy has TASOs reporting to DFAS\n     operations instead of to a separate function outside of operations. DFAS\n     attempted to segregate duties when it moved PMO reporting to the CIO, but the\n     TASOs, who had reported to the PMO, remained in DFAS operations. This\n     structure allows security controls to be circumvented to provide certain services\n     to customers, including to USMC. For example, TASOs can grant access rights\n\n\n\n                                          4\n\x0c     to personnel that allow them to bypass or change security controls. NIST advises\n     that computer security embedded in operations lacks independence, has minimal\n     authority, receives little management attention, and has few resources.\n\n     Assigned Security Responsibilities. We reviewed the performance plans for the\n     PMO personnel to determine each employee\xe2\x80\x99s specific security responsibilities.\n     The performance plans for PMO personnel did not have security responsibilities\n     included as part of their job expectations from the CIO. According to NIST, the\n     assignment of security responsibilities should be in writing to ensure that a\n     system\xe2\x80\x99s application has adequate security. It would be appropriate to use\n     performance plans to formally communicate the security responsibilities to PMO\n     personnel.\n\n\nSecurity Policies and Procedures\n\n     Controls over SABRS security management and operations are ineffective\n     because the CIO did not clearly delegate the authority and duty to responsible\n     parties to develop approved policies and procedures for SABRS IT security\n     operations. Policies and procedures did not exist or were not formally approved\n     for access authorizations, periodic reviews of access authorizations, and data\n     encryption. Management\xe2\x80\x99s requirements or actual intent is not known and cannot\n     be enforced if the policies and procedures have not been formally approved.\n\n     Access Authorizations. The PMO, as a component of the CIO, provided desk\n     procedures, but not formal policies, for granting system access authorizations.\n     The desk procedures were not properly approved by DFAS management.\n     According to NIST, approved policies are needed to provide sufficient\n     information or direction to be used in establishing an access control list. In\n     addition, the Government Accountability Office Federal Information System\n     Controls Audit Manual states management is responsible for developing the\n     detailed policies, procedures, and practices to fit an agency\xe2\x80\x99s operations.\n     Management should also ensure these policies are built into and are an integral\n     part of IT security operations. Documented and approved access control policies\n     will make these operations substantially easier to follow and will improve system\n     access control.\n\n     Periodic Reviews of Access Authorizations. The PMO, as a component of the\n     CIO, provided desk procedures, but not formal policies, for periodic reviews of\n     access authorizations. The desk procedures were not properly approved by DFAS\n     management, and they did not provide for periodic review of access rights for\n     each user. According to NIST, it is necessary to periodically review user\n     accounts on a system to ensure proper authorizations and manage system access.\n     Application managers (and data owners, if different) should review all access\n\n\n                                         5\n\x0c    levels of all application users every month and sign a formal access approval list,\n    which will provide a written record of the approvals. The PMO is often the only\n    individual in a position to know current access requirements.\n\n    Informal policies and procedures lack the weight of authority provided by the\n    written approval of a senior management official, the CIO. Management\n    officials\xe2\x80\x99 approval provides clear evidence to employees and contractors that\n    management is in agreement with the stated policies and procedures and that\n    adherence is required.\n\n    Effective administration of users' access is essential to maintaining system\n    security. User account management focuses on identification, authentication, and\n    access authorizations. This process should include periodic verification of user\n    accounts and access authorizations. User accounts must also be timely changed\n    for modification or removal of access and associated issues for employees who\n    are reassigned, promoted, terminated, or who retire.\n\n    Data Encryption. The PMO, as a component of the CIO, could not identify its\n    data encryption procedures. PMO personnel stated encryption is not under their\n    direct control so they do not believe they need to know this information.\n    According to NIST, an organization should use encryption to protect the\n    confidentiality of remote access sessions. During our audit, NIST was updated\n    (December 2006); however, the requirement to use encryption did not change and\n    still applies. The requirements for encryption and remote access policies are\n    critical because they address the security of data transmission. The PMO has\n    primary responsibility for the security of SABRS. It should be aware of the\n    encryption used for their application.\n\n\nSABRS Security and Control Requirements\n\n    Controls over SABRS security management and operations are ineffective\n    because the CIO did not clearly assign responsibility for the IT security and\n    control requirements. Specifically, the SABRS security environment did not\n    include:\n\n           \xe2\x80\xa2   a complete risk assessment;\n\n           \xe2\x80\xa2   an adequate security plan, also called a System Security Authorization\n               Agreement;\n\n           \xe2\x80\xa2   identification of information and resources critical to the operations of\n               SABRS in its contingency plan;\n\n\n\n\n                                         6\n\x0c                   \xe2\x80\xa2   implementation of intrusion detection and incident response\n                       procedures; and\n\n                   \xe2\x80\xa2   assurance that users completed required security awareness training.\n\n           Risk Assessments. The PMO, as a component of the CIO, did not complete a\n           required risk assessment because the CIO did not clearly assign security\n           responsibilities to the PMO. Although the PMO identified some potential risks, it\n           did not perform a risk assessment of natural threats or rank the probability of\n           identified threats occurring, as required by NIST, OMB, and DoD Instructions.\n\n           \xe2\x80\x9cDepartment of Defense Information Technology Security Certification and\n           Accreditation Process (DITSCAP) Application Manual,\xe2\x80\x9d July 31, 2000, states:\n\n                   The SSAA 1 should clearly state the nature of the threat that is expected\n                   and wherever possible, the expected frequency of occurrence. Generic\n                   threat information is available but it must be adapted to clearly state the\n                   expected threats to be encountered by the system. DITSCAP also\n                   requires the risk analysis to identify appropriate cost-effective\n                   countermeasures to mitigate the risk.\n\n           The PMO did not adequately complete the risk assessment and, therefore, did not\n           include appropriate countermeasures in its security plan. DoD Instruction 8500.2\n           requires agencies to ensure that DoD Component-owned or controlled DoD\n           information systems are assessed for information assurance vulnerabilities on a\n           regular basis, and that appropriate information assurance solutions are\n           implemented to eliminate or otherwise mitigate identified vulnerabilities.\n\n           Without adequate risk assessments and appropriate countermeasures, the SABRS\n           application could be at risk for a security event (for example, flood, loss of power,\n           or intrusion) to occur that cannot be promptly mitigated. Ultimately, SABRS\n           could be unable to perform its mission of financial accounting and reporting for\n           the USMC.\n\n           Security Plans. Although the PMO prepared a security plan for SABRS, it did\n           not conform to NIST, OMB, and DITSCAP standards. Of the 65 sections in the\n           2003 security plan, 26 sections did not comply with standards; of 65 sections for\n           the 2006 security plan, 27 did not comply with standards. Specific areas of\n           noncompliance are listed in Appendix B. In addition, the 2003 security plan was\n           out of date. A major modification to SABRS was completed in October 2005, but\n           the PMO waited until May 2006 to update the security plan. This met the 3-year\n           minimum update, but it did not meet the NIST requirement to update the security\n           plan when a major modification was completed on the system. Management\n           authorizes a system to process information or to operate based on the security\n1\n    The SSAA (System Security Authorization Agreement) is the Security Plan.\n\n\n\n                                                       7\n\x0cplan when completing the certification and authorization process. Authorizing a\nsystem to process information provides an important quality control, and, by\nauthorizing processing in a system, the manager accepts its associated risks.\nBecause the security plan for SABRS was not up to date, management may be\nunaware of the risks they are accepting within SABRS when certification and\nauthorization is completed.\n\nContingency Planning. The SABRS contingency plan did not define the\ninformation resources criticality in accordance with NIST guidance and DoD\nInstruction 8500.2. Both standards require the identification of mission and\nbusiness essential functions for priority restoration planning along with all assets\nsupporting mission or business essential functions.\n\nThe PMO provided the contingency plan and results of testing performed. The\ncriticality of data and business essential functions were not identified as part of\nthe plan. Contingency plan testing identified the users\xe2\x80\x99 inability to obtain remote\naccess to the contingency site. Remotely accessing the contingency site could be\ncritical during an emergency or system disruption.\n\nIntrusion Detection and Incident Response Procedures. The PMO, as a\ncomponent of the CIO, provided policies and procedures to employees for\nreporting intrusions; however, the policies and procedures did not address how\nmonitoring within SABRS detects security violations. NIST recommends a\nbaseline level of logging and auditing on all systems. That is, all systems should\nhave a minimum level of recording and reviewing of all system activity.\nFurthermore, NIST recommends all critical systems have a higher baseline level.\nThe logs frequently provide value during incident analysis, particularly if auditing\nis enabled. The PMO did not have procedures established for monitoring,\nthrough logging and auditing, for SABRS to detect security violations.\n\nSABRS is considered a major application, and according to DoD\nInstruction 8500.2 major applications require intrusion detection systems. The\nDoD Instruction requires an incident response plan that identifies the responsible\nComputer Network Defense Service Provider, defines reportable incidents,\noutlines a standard operating procedure for incident response, identifies user\ntraining, and establishes an incident response team. The plan should be exercised\nat least annually. The PMO did not have an intrusion detection system as part of\nan incident response plan.\n\nApplication-level audit trails should record user activities, such as opening and\nclosing data files; reading, editing, and deleting records or fields; and printing\nreports. Without this security control, security violations could occur within\nSABRS that would not be detected, investigated, or corrected.\n\n\n\n\n                                      8\n\x0c    Security Awareness Training. The PMO did not verify that all SABRS users\n    attended the required annual computer security awareness training. FISMA\n    requires each agency to develop, document, and implement an agency-wide\n    information security program that includes security awareness training. This\n    training applies to all personnel, contractors and other users of information\n    systems that support the operations and assets of the agency. Additionally, DoD\n    and OMB require employees receive mandatory periodic training. NIST\n    standards, which are directed by OMB and are considered best practices, require\n    annual training for all users.\n\n    An effective IT security program requires significant attention be given to\n    training IT users on security policy, procedures, and techniques. We compared an\n    incomplete list of SABRS users to a list of employees who attended annual IT\n    security training and determined that 2,946 of 3,148 SABRS users were not\n    identified as having completed the required training. Because the PMO did not\n    verify that SABRS users completed the required IT security training, SABRS is\n    vulnerable to greater security risk.\n\n\nSoftware Waivers or License Agreements\n\n    DFAS Technology Services Organization, as a component of the CIO, did not\n    maintain waivers or license agreements for selected software loaded on their\n    computers. The CIO did not clearly assign those security responsibilities to the\n    Technology Services Organization. Waivers or license agreements authorize the\n    software for use. Unauthorized software could degrade SABRS processing.\n\n    DFAS Technology Services Organization was unable to provide waivers or\n    license agreements for 8 of 12 auditor sampled software programs. DFAS\n    Instructions require that only software that is part of the DFAS standard suite of\n    software may be loaded onto a Government computer. All other software must be\n    approved for installation in writing by the DFAS Technology Services\n    Organization. The DFAS CIO should require that the Technology Services\n    Organization maintain software waivers and license agreements. These waivers\n    and license agreements provide assurance that only authorized software is\n    operating on DFAS computers.\n\n\n\n\n                                        9\n\x0cRecommendations, Management Comments, and Audit\n  Response\n\n           A.1 We recommend the Chief Information Officer, Defense Finance and\n           Accounting Service:\n\n                   a. Separate the Terminal Area Security Officer functions from\n           Defense Finance and Accounting Service Operations to ensure segregation of\n           duties.\n\n           Management Comments. The Director, Information and Technology, DFAS 2\n           nonconcurred. He stated that TASOs 3 assist in implementing information\n           assurance provisions for local users and systems so they have to be physically\n           located in the same work area or organization as the users. He added that system\n           access procedures involve multiple roles and people, all of which provide an\n           appropriate measure of segregation of duties.\n\n           Audit Response. The Director, Information and Technology, DFAS\n           nonconcurred and the comments were nonresponsive. We recommended that the\n           TASO functions be separated from operations to ensure segregation of duties.\n           We do not agree that DFAS provides the appropriate measure of segregation of\n           duties between TASOs and operations. TASO functions should not be embedded\n           in DFAS Operation\xe2\x80\x99s chain of command regardless of where the TASOs are\n           physically located.\n\n           We request that the Director, Information and Technology, DFAS provide the\n           corrective actions taken to segregate TASO functions from operations and the\n           associated implementation dates.\n\n                   b. Develop performance plans that:\n\n                         (1) Incorporate security duties as performance measurements\n           for personnel with security responsibilities, including but not limited to the\n           Program Management Office, and\n\n                         (2) Management can use to evaluate personnel and hold them\n           accountable for security operations.\n\n           Management Comments. The Director, Information and Technology, DFAS\n           concurred. He explained that the requirement to develop performance plans that\n           incorporate security duties as performance measurements for personnel with\n           security responsibilities will be added to the DFAS Information Assurance\n           Workforce Improvement Program. The estimated completion date for this action\n           is September 30, 2008.\n\n2\n    Defense Finance and Accounting Service (DFAS).\n3\n    Terminal Area Security Officer (TASO).\n\n\n\n                                                     10\n\x0c           Audit Response. Comments from the Director, Information and Technology,\n           DFAS are responsive and no additional comments are required.\n\n                   c. Identify and clearly delegate to specific offices the responsibility for\n           establishing and executing policy and procedural authorities over Standard\n           Accounting, Budgeting, and Reporting System information technology\n           security operations.\n\n           Management Comments. The Director, Information and Technology, DFAS\n           concurred. The Director, Information and Technology, DFAS stated that he\n           updated DFAS 8500.1-R, Information Assurance, November 2007. This updated\n           policy assigns clear security responsibilities to program managers, system\n           managers, system information assurance managers, site information assurance\n           managers, and other security officials.\n\n           Audit Response. Comments from the Director, Information and Technology,\n           DFAS are responsive and no additional comments are required.\n\n                 d. Direct applicable offices to create, document, implement, and\n           approve policies and procedures in accordance with National Institute of\n           Standards and Technology, DoD, and Government Accountability Office\n           guidance to address:\n\n                        \xe2\x80\xa2   access authorizations,\n\n                        \xe2\x80\xa2   periodic reviews of access authorizations,\n\n                        \xe2\x80\xa2   data encryption, and\n\n                        \xe2\x80\xa2   detecting and investigating security violations and activities.\n\n           Management Comments. The Director, Information and Technology, DFAS\n           concurred.\n\n           The Director, Information and Technology, DFAS described the procedures that\n           DFAS uses for access authorizations and periodic review of access authorizations.\n           He explained that an automated process identifies monthly ACIDs 4 that have\n           SABRS 5 access. A systems task documents the validation, showing access\n           identifications and entries that were removed. He added that the SABRS PMO 6 is\n           notified of the monthly validation. He also stated that all ACIDs are reviewed\n           when DFAS receives a request for SABRS access.\n\n           For data encryption, the Director, Information and Technology, DFAS stated that\n           all relevant requirements were identified in the System Security Authorization\n\n4\n    A form of access identification, known as ACessor Identification (ACID).\n5\n    Standard Accounting, Budgeting, and Reporting System (SABRS).\n6\n    Program Management Office (PMO).\n\n\n\n                                                     11\n\x0c           Agreement for SABRS with additional requirements identified in the DITSCAP 7\n           based System Security Authorization Agreement. He stated that procedures do\n           not need to be developed as other entities implement the inherited controls.\n\n           The Director, Information and Technology, DFAS stated that baseline controls for\n           detecting and investigating security violations are in the System Security\n           Authorization Agreement and that the SABRS incident response plan is in\n           Appendix K of the System Security Authorization Agreement. He added that the\n           appropriate DISA 8 and DFAS Computer Emergency Response Teams conduct\n           investigations and each has its own documentation procedures.\n\n           Audit Response. Comments from the Director, Information and Technology,\n           DFAS are partially responsive.\n\n           Although the Director, Information and Technology, DFAS described the\n           procedures DFAS uses for access authorizations and review of access\n           authorizations, he did not identify the approved policy that the procedures\n           implement\n\n           We disagree that the data encryption requirements are identified in the System\n           Security Authorization Agreement for SABRS. The requirements were implied in\n           checklists instead of formally stated in the System Security Authorization\n           Agreement. Although the data encryption requirements were inherited, the PMO,\n           as a component of the CIO, 9 has primary responsibility for the security of\n           SABRS. Therefore, it should be aware of the encryption used for their\n           application. The Director, Information and Technology, DFAS did not provide\n           encryption procedures.\n\n           We disagree that the controls for detecting and investigating security violations\n           are stated in the System Security Authorization Agreement. Appendix K of the\n           System Security Authorization Agreement does not include an incident response\n           plan that identifies the responsible Computer Network Defense Service Provider,\n           defines reportable incidents, outlines a standard operating procedure for incident\n           response, identifies user training, and establishes an incident response team as\n           required by regulation. Appendix K states only that users must immediately\n           report all Information Assurance-related events and potential threats and\n           vulnerabilities involving a DoD information system to the appropriate\n           Information Assurance Officer.\n\n           We request that the Director, Information and Technology, DFAS create,\n           document, implement, and approve policies and procedures in accordance with\n           NIST, 10 DoD, and Government Accountability Office guidance to address access\n           authorizations, periodic reviews of access authorizations, data encryption, and\n           detecting and investigating security violations and activities.\n\n7\n    Department of Defense Information Technology Security Certification and Accreditation Process\n    (DITSCAP).\n8\n    Defense Information Systems Agency (DISA).\n9\n    Chief Information Officer (CIO).\n10\n     National Institute of Standards and Technology (NIST).\n\n\n\n                                                     12\n\x0c       e. Provide training to Defense Finance and Accounting Service\nKansas City personnel regarding DoD and Defense Finance and Accounting\nService license agreements and waivers.\n\nManagement Comments. The Director, Information and Technology, DFAS\nconcurred. He stated that software licensing requirements are part of the\nmandatory Information Assurance awareness training provided to all DFAS\ninformation technology users. DFAS also broadcasted educational information\nrelated to software piracy DFAS wide and posted the information on its ePortal.\n\nAudit Response. Comments from the Director, Information and Technology,\nDFAS are responsive and no additional comments are required.\n\n       f. Maintain license agreements and waivers for software to ensure\nonly authorized software is present on the Defense Finance and Accounting\nService computer system.\n\nManagement Comments. The Director, Information and Technology, DFAS\nconcurred. The requirement to maintain license agreements and waivers is stated\nin DFAS 8400.1-R, Information Technology. He stated that DFAS will initiate a\nreview of all installed software to confirm that all workstations comply with\nsoftware licensing agreements. The estimated completion date for this action is\nSeptember 30, 2008.\n\nAudit Response. Comments from the Director, Information and Technology,\nDFAS are responsive and no additional comments are required.\n\nA.2. We recommend the Chief Information Officer, Defense Finance and\nAccounting Service clearly assign security responsibilities to the Program\nManagement Office and direct that office to comply with National Institute\nof Standards and Technology, Office of Management and Budget, and DoD\nrequirements. Specifically,\n\n        a. Perform a risk assessment of Standard Accounting, Budgeting, and\nReporting System at least every 3 years or when a major change occurs.\nThis risk assessment should include identifying risks, the likelihood of the\nidentified risks, and appropriate cost-effective countermeasures to mitigate\nthe risks.\n\nManagement Comments. The Director, Information and Technology, DFAS\nconcurred. He explained that when DoD Instruction 8500.2 was issued\nsubsequent to the DITSCAP manual, the required threat analysis, cited in the\nreport as the basis for this recommendation, was substantially altered. DoD\nInstruction 8500.2 negated the mandatory requirement to conduct a separate\nthreat and risk assessment for each system. DITSCAP has since been replaced\nwith the Defense Information Assurance Certification and Accreditation Process,\nwhich does not require a threat analysis as part of the certification and\naccreditation process.\n\n\n\n                                   13\n\x0cAudit Response. Comments from the Director, Information and Technology,\nDFAS are partially responsive. We realize DITSCAP has been replaced with the\nDefense Information Assurance Certification and Accreditation Process. The\nassessment of natural threats, as a possible risk, is not addressed in the Defense\nInformation Assurance Certification and Accreditation Process. Therefore, we\napplied guidance identified in NIST. NIST recommends that information on the\nprobability of natural threats impacting the system be readily available and\nappropriate countermeasures for those threats be identified.\n\nWe request that the Director, Information and Technology, DFAS perform a risk\nassessment that includes identifying risks, the likelihood of the identified risks,\nand appropriate cost-effective countermeasures to mitigate the risks.\n\n       b. Prepare and document a security plan.\n\nManagement Comments. The Director, Information and Technology, DFAS\nconcurred. He stated that the last SABRS security plan was completed on June 9,\n2006. He added that DFAS will complete a new security plan as part of the\nDFAS corporate transition to the Defense Information Assurance Certification\nand Accreditation Process. The required date for completion is June 30, 2008.\n\nAudit Response. Comments from the Director, Information and Technology,\nDFAS are partially responsive. The security plan should incorporate NIST,\nOffice of Management and Budget, and DoD requirements. We request that the\nDirector, Information and Technology, DFAS review and comment how its\nsecurity plan meets NIST, Office of Management and Budget, and DoD\nrequirements.\n\n       c. Identify the critical data and resources that support Standard\nAccounting, Budgeting, and Reporting System. The critical data and\nresources should be used to identify recovery priorities. This information\nshould be documented in the Standard Accounting, Budgeting, and\nReporting System contingency plan.\n\nManagement Comments. The Director, Information and Technology, DFAS\nconcurred. He stated that DFAS annually updates the SABRS contingency plan.\nDFAS most recently updated and tested the contingency plan on November 7,\n2007.\n\nAudit Response Comments from the Director, Information and Technology,\nDFAS are responsive and no additional comments are required.\n\n       d. Prepare an intrusion detection policy for the Standard Accounting,\nBudgeting, and Reporting System, including who is responsible for\nmonitoring intrusion detection. The policy should address the recording and\nauditing of users\xe2\x80\x99 activities and intrusion incidents.\n\nManagement Comments. The Director, Information and Technology, DFAS\nconcurred. He stated that intrusion detection and monitoring requirements are\nincluded in the System Security Authorization Agreement as part of the DoD\n\n\n                                     14\n\x0c           Instruction 8500.2 baseline controls. DISA, DFAS, and USMC 11 personnel\n           implement and perform intrusion detection for SABRS operations at their own\n           user sites.\n\n           Audit Response. Comments from the Director, Information and Technology,\n           DFAS are partially responsive. Application-level audit trails should record user\n           activities, such as opening and closing data files; reading, editing, and deleting\n           records or fields; and printing reports. DFAS, as the system owner, is ultimately\n           responsible for these functions. They are not controlled by DISA. We request that\n           the Director, Information and Technology, DFAS prepare an intrusion detection\n           policy for SABRS that specifically addresses recording and auditing user\n           activities and intrusion incidents.\n\n                  e. Ensure that all Standard Accounting, Budgeting, and Reporting\n           System users have attended annual computer security awareness training\n           and implement a method to verify that all users are adequately completing\n           the required training.\n\n           Management Comments. The Director, Information and Technology, DFAS\n           concurred. He stated that DFAS is managing and tracking the completion of\n           information assurance awareness training for its own users using an automated\n           method. USMC maintains its own documentation of the information assurance\n           awareness training for SABRS users.\n\n           Audit Response. Comments from the Director, Information and Technology,\n           DFAS are partially responsive. Because DFAS owns SABRS, the PMO should\n           be aware of all users that have completed security awareness training. In\n           addition, DFAS should periodically verify that all users, including non-DFAS\n           users, annually complete the required training. We request that the Director,\n           Information and Technology, DFAS document how it ensures that all SABRS\n           users have attended annual computer security awareness training and implement a\n           method to verify that all users are adequately completing the required training.\n\n\n\n\n11\n     United States Marine Corps (USMC).\n\n\n\n                                               15\n\x0c           B. Program Management Office Security\n              Coordination\n           The PMO did not provide assurance that SABRS security was effective\n           because it did not coordinate with all parties responsible for security over\n           SABRS. Specifically, the PMO did not:\n\n                  \xe2\x80\xa2   provide documentation that proved the SABRS user passwords\n                      were in accordance with Joint Task Force Global Networks\n                      Communications Tasking Order 06-02 requirements,\n\n                  \xe2\x80\xa2   identify general support system security controls implemented\n                      by other responsible parties,\n\n                  \xe2\x80\xa2   provide an accurate list of all TASO account holders,\n\n                  \xe2\x80\xa2   provide documentation that proved SABRS acceptance testing\n                      was completed, and\n\n                  \xe2\x80\xa2   prevent unauthorized software from being introduced to the\n                      SABRS environment.\n\n           As a result, the PMO cannot ensure an effective security control\n           environment exists for SABRS.\n\n\nSABRS User Passwords\n\n    The PMO did not provide documentation that proved SABRS user passwords\n    were in accordance with the requirements in the Joint Task Force Global\n    Networks Communications Tasking Order 06-02 because, PMO personnel stated,\n    this was outside of their direct control. They stated Defense Information Systems\n    Agency (DISA) set the password parameters; therefore, they did not need to know\n    this information. The Tasking Order states that passwords have to meet the\n    following requirements.\n\n           \xe2\x80\xa2   Passwords must be set to a minimum of nine characters.\n\n           \xe2\x80\xa2   Passwords must contain a mix of at least two lowercase letters, two\n               uppercase letters, two numbers, and two special characters.\n\n           \xe2\x80\xa2   Passwords must be changed every 60 days.\n\n           \xe2\x80\xa2   Password history must be set to a minimum of five.\n\n\n                                        16\n\x0c           \xe2\x80\xa2   Unsuccessful logon attempt counter must be set to three with a counter\n               reset of no less than 60 minutes. This allows no more than two\n               unsuccessful logon attempts within a 60-minute period.\n\n           \xe2\x80\xa2   After the third unsuccessful logon attempt, the account lockout\n               duration must be set to \xe2\x80\x9cforever,\xe2\x80\x9d requiring the account to be unlocked\n               by a system administrator.\n\n    Passwords are a technical measure that prevents unauthorized people (or\n    unauthorized processes) from entering a computer system. Passwords are also\n    critical to computer security because they are the basis for most types of access\n    control and for establishing user accountability. Because the PMO is ultimately\n    responsible for SABRS security, it should be aware of the password parameters\n    and ensure that passwords are robust.\n\n\nGeneral Support System Controls\n\n    The PMO did not identify security controls implemented by other responsible\n    parties because personnel did not believe those security controls were also their\n    responsibility. PMO personnel stated that DISA was responsible for security over\n    the general support system used by SABRS. This security includes physical and\n    system software controls and a minimum level of recording or reviewing system\n    activity. PMO personnel stated they did not need to know this information or\n    obtain any assurances regarding the effectiveness of controls used by DISA, the\n    organization that maintains the SABRS general support system. According to\n    NIST, if an agency runs a major application on another organization\xe2\x80\x99s general\n    support system, the agency should request a copy of the other organization\xe2\x80\x99s\n    general support system security plan. In addition, DoD requires that all\n    interconnected DoD information systems be managed to ensure that one system is\n    not undermined by vulnerabilities of interconnected systems. The PMO did not\n    obtain assurances of security controls over the mainframe by obtaining the\n    general support system security plan as recommended by NIST. The PMO also\n    did not obtain the DISA Statement of Auditing Standards No. 70 report. The\n    Statement on Auditing Standards No. 70 report is used to provide an opinion on\n    the adequacy of the internal controls over information processed by a service\n    organization.\n\n    The PMO should be aware of types of controls in place or at least obtain the\n    service organization security plan to determine if a security function performed\n    by other responsible parties ensures that the security environment of the SABRS\n    is not undermined.\n\n\n\n\n                                        17\n\x0cTASO Account Identification\n\n    An accurate list of all TASO account holders was not available because the PMO\n    did not periodically reconcile the TASO appointment letters with actual TASO\n    account holders identified within SABRS. SABRS TASOs create and assign user\n    IDs and set user privileges. DFAS requires that TASOs be designated in an\n    appointment letter.\n\n    We obtained three separate documents to determine SABRS TASO account\n    holders:\n\n           \xe2\x80\xa2   a SABRS generated user ID list,\n\n           \xe2\x80\xa2   a list of TASO user IDs maintained by the PMO office, and\n\n           \xe2\x80\xa2   TASO appointment letters maintained by the DFAS Kansas City\n               Technology Services Organization.\n\n    The SABRS TASO account holders identified on each of these three documents\n    did not agree and the PMO did not reconcile the differences.\n\n    The PMO must regularly reconcile TASO users with the applicable rights\n    assigned in SABRS. When an individual is no longer required to perform TASO\n    duties, appointment letters should be formally rescinded, along with the rights\n    provided to TASOs. The individual is no longer accountable for TASO duties\n    after the formal rescission. This practice would institute the principle of least\n    privileges, which states that users should be granted access only to the resources\n    they need to perform their official functions. By applying this principle, the PMO\n    may limit damages resulting from human error or unauthorized use of system\n    resources.\n\n\nAcceptance Testing Documentation for Software Changes\n\n    The PMO did not provide documentation that proved acceptance testing was\n    completed prior to issuing software changes to SABRS. SABRS software change\n    requests are documented in the Configuration Management Information System.\n    We reviewed 17 SABRS software change requests from this system. There was\n    no evidence of software acceptance testing by the PMO for any of the 17 requests.\n    The PMO did provide us with e-mail documentation stating that the SABRS\n    system change was accepted, but it did not provide any documentation that\n    supported the type of testing conducted and the corresponding results.\n\n\n\n\n                                        18\n\x0c    The DFAS Kansas City Technology Services Organization is responsible for\n    making the technical system changes to SABRS. Its own SABRS Software\n    Configuration Management Plan requires the completion of acceptance testing\n    prior to implementing software changes. In addition, its SABRS Software\n    Development Plan states the USMC will participate in acceptance testing.\n\n    The PMO stated that it was responsible for performing acceptance testing on\n    behalf of the USMC. USMC confirmed that they rely on the PMO to perform\n    SABRS acceptance testing. Application users should conduct acceptance testing\n    to verify that its requirements were met by the software change. Failure to\n    document the results of acceptance testing creates uncertainty that user\n    requirements have been met.\n\n\nAuthorized Software\n\n    Unauthorized software had been installed on DFAS Kansas City network\n    computers. SABRS security could be compromised by introducing unauthorized\n    software to the DFAS Kansas City Enterprise-wide Local Area Network, which\n    allows access to SABRS. The PMO did not coordinate with all parties\n    responsible for security over SABRS to ensure that unauthorized software was\n    restricted from network computers.\n\n    DoD Instruction 8500.2 restricts the use of unauthorized software and firmware\n    on its information systems. However, DFAS Kansas City did not adequately\n    prohibit users from installing software on their desktop computers.\n\n    DFAS Technology Services Organization personnel stated that because DFAS\n    Kansas City is on the Base Realignment and Closure list, the computers located at\n    DFAS Kansas City are not locked down using the Desktop Management\n    Initiative. The Desktop Management Initiative locks down the computer so the\n    user cannot load software or otherwise change the standard configuration. DFAS\n    Technology Services Organization did not institute this at DFAS Kansas City\n    because, personnel stated, it is not cost effective. However, based upon this\n    information, DFAS does have the ability to lock down the computer so personnel\n    cannot add unauthorized software. Unauthorized software increases the risk that\n    viruses will be introduced, errors can occur, and copyright laws may be violated.\n    The PMO should coordinate with the Technology Services Organization to ensure\n    these vulnerabilities are minimized to provide an effective security control\n    environment for SABRS.\n\n\n\n\n                                       19\n\x0cRecommendations, Management Comments, and Audit\n  Response\n\n    B.1. We recommend the Program Management Office coordinate with\n    Defense Information Systems Agency to:\n\n           a. Determine if the Standard Accounting, Budgeting, and Reporting\n    System password parameters meet the Joint Task Force Global Networks\n    requirements.\n\n         b. Establish password parameters and maintain relevant\n    documentation.\n\n    Management Comments. The Director, Information and Technology, DFAS\n    concurred. He explained that DISA provides password support over mainframe\n    applications using Top Secret software and this software meets the Joint Task\n    Force Global Network requirements to the best extent possible.\n\n    Audit Response. Comments from the Director, Information and Technology,\n    DFAS are partially responsive. Because DFAS owns SABRS, the PMO should\n    be aware of the SABRS password parameters, regardless of who provides\n    password support. We request that the Director, Information and Technology,\n    DFAS determine and document, for DFAS and the PMO, whether the SABRS\n    password parameters meet the Joint Task Force Global Networks requirements.\n\n    B.2. We recommend the Program Management Office:\n\n           a. Identify security controls performed by responsible organizations.\n\n    Management Comments. The Director, Information and Technology, DFAS\n    concurred. He stated that DFAS will identify the responsible organizations for\n    implementing required security controls and will make these explicitly clear in\n    the updated System Security Authorization Agreement. This action is required to\n    be completed by June 30, 2008.\n\n    Audit Response. Comments from the Director, Information and Technology,\n    DFAS are responsive and no additional comments are required.\n\n          b. Assess the security controls to ensure risks are identified and\n    appropriate countermeasures are implemented.\n\n    Management Comments. The Director, Information and Technology, DFAS\n    concurred. He stated that assessments are embedded activities in the certification\n    and authorization process and the Federal Information Security Management Act\n    reporting process.\n\n    Audit Response. Comments from the Director, Information and Technology,\n    DFAS are partially responsive. The Director, Information and Technology,\n\n\n                                        20\n\x0cDFAS did not identify the proposed actions and completion dates for assessing\nthe security controls to ensure risks are identified and appropriate\ncountermeasures are implemented. We request that the Director, Information and\nTechnology, DFAS provide the corrective actions taken and their associated\nimplementation dates.\n\n      c. Identify all Terminal Area Security Officer account holders\nmaintained within the Standard Accounting, Budgeting, and Reporting\nSystem.\n\n      d. Document Terminal Area Security Officer account holders with\nformal appointment letters.\n\n       e. Periodically reconcile the appointment letters with Terminal Area\nSecurity Officer account holders identified within the Standard Accounting,\nBudgeting, and Reporting System to ensure Terminal Area Security Officer\naccess is removed on a timely basis.\n\n      f. Rescind appointment letters for personnel who have been relieved\nof Terminal Area Security Officer account holder duties.\n\nManagement Comments. The Director, Information and Technology, DFAS\nconcurred. He stated that DFAS already complies with these recommendations.\n\nAudit Response. Comments from the Director, Information and Technology,\nDFAS are partially responsive. The Director, Information and Technology,\nDFAS did not identify the proposed actions and completion dates for:\n\n   \xe2\x80\xa2   identifying all TASO account holders maintained in SABRS,\n\n   \xe2\x80\xa2   documenting TASO account holders with formal appointment letters,\n\n   \xe2\x80\xa2   periodically reconciling the appointment letters with TASO account\n       holders identified within SABRS to ensure TASO access is removed on a\n       timely basis, and\n\n   \xe2\x80\xa2   rescinding appointment letters for personnel who have been relieved of\n       TASO account holder duties.\n\nWe request that the Director, Information and Technology, DFAS provide the\ncorrective actions taken for these four recommendations and provide the\nassociated implementation dates.\n\nB.3. We recommend the Program Management Office in conjunction with\nthe Technology Services Organization and United States Marine Corps\ncreate documentation requirements for acceptance testing including what\ndocumentation needs to be maintained and for how long. This testing\n\n\n\n\n                                   21\n\x0cdocumentation should include results of the tests performed in terms of pass\nor fail.\n\nManagement Comments. The Director, Information and Technology, DFAS\nconcurred. He stated that the PMO performs the acceptance testing and\nauthorizes it for release. Once all the software change requests for the release\nhave passed acceptance testing, the Program Manager signs a memo indicating\nthat the software can be loaded to the production environment.\n\nAudit Response. Comments from the Director, Information and Technology,\nDFAS are partially responsive. The DFAS did not provide documentation from\nthe PMO that supports the type of testing conducted and the corresponding\nresults. We request that the Director, Information and Technology, DFAS\nformally document requirements for acceptance testing including what\ndocumentation needs to be maintained and for how long.\n\nB.4. We recommend the Program Management Office in conjunction with\nthe Technology Services Organization:\n\n      a. Provide training to Defense Finance and Accounting Service\nKansas City personnel regarding DoD policies about unauthorized software.\n\nManagement Comments. The Director, Information and Technology, DFAS\nconcurred. He stated that the DoD-required annual information assurance\nawareness training provides personnel with the policies regarding unauthorized\nsoftware.\n\nAudit Response. Comments from the Director, Information and Technology,\nDFAS are responsive and no additional comments are required.\n\n        b. Determine, document, and implement procedures to identify and\nrestrict the load of unauthorized software.\n\nManagement Comments. The Director, Information and Technology, DFAS\nconcurred. He stated that the Technology Services Organization maintains all test\nplans and test results for the system integration testing. The PMO performs the\nacceptance testing and authorizes it for release.\n\nAudit Comments. Comments from the Director, Information and Technology,\nDFAS are partially responsive. The comments do not explain how users are\nprevented from installing unauthorized software on their computers. We request\nthat the Director, Information and Technology, DFAS determine, document, and\nimplement procedures to identify and restrict users from loading unauthorized\nsoftware.\n\n\n\n\n                                    22\n\x0c       C. Defense Finance and Accounting\n          Service and Defense Information\n          Systems Agency Service Level\n          Agreement\n       DFAS Accounting Services-Marine Corps and DISA did not have an\n       approved Service Level Agreement because DFAS did not sufficiently\n       coordinate with DISA to complete the approval process. The absence of\n       an approved Service Level Agreement could result in unfulfilled\n       responsibilities and unresolved questioned authorities. In addition, neither\n       party can be held accountable for not executing the Service Level\n       Agreement requirements or for expenses incurred.\n\nThe PMO representing DFAS Accounting Services-Marine Corps and DISA did\nnot fully execute and approve the Service Level Agreement because the PMO and\nother designated parties did not sign it. The Execution section of the Service\nLevel Agreement states, \xe2\x80\x9cOfficial signatures indicate approval to the terms and\nconditions of this agreement by the indicated parties. This Service Level\nAgreement is effective upon the date of the final signature.\xe2\x80\x9d Without official\nsignatures, the PMO cannot ensure DISA performs necessary security controls.\nAlso, the PMO cannot hold DISA accountable if DISA fails to provide the\nnecessary security controls.\n\nNIST 800-35 states that a Service Level Agreement should define the\nexpectations of performance for each required security control, describe\nmeasurable outcomes, and identify remedies and response requirements for any\nidentified instance of noncompliance. To ensure SABRS is adequately protected,\nthe PMO and DISA must have a clear understanding of their respective roles and\nresponsibilities as discussed in the Service Level Agreement. Therefore, the\nService Level Agreement must be properly approved.\n\n\n\n\n                                    23\n\x0cRecommendations, Management Comments, and Audit\n  Response\n\n    C. We recommend the PMO representing the Defense Finance and\n    Accounting Service Accounting Services-Marine Corps coordinate with\n    Defense Information Systems Agency to obtain approval of the Service Level\n    Agreement by all applicable parties which includes authorized signatures of\n    designated individuals.\n\n    Management Comments. The Director, Information and Technology, DFAS\n    concurred. The PMO has an annual Service Level Agreement with DISA.\n\n    Audit Response. Comments from the Director, Information and Technology,\n    DFAS are partially responsive. The comments do not address whether the\n    Service Level Agreement is signed. The Service Level Agreement is not effective\n    until the date of the final signature. We request that the Director, Information and\n    Technology, DFAS obtain approval of the Service Level Agreement by all\n    applicable parties, which includes authorized signatures of designated individuals,\n    and provide us a copy.\n\n\n\n\n                                        24\n\x0cAppendix A. Scope and Methodology\n   We conducted this audit from February 2006 through January 2008 in accordance\n   with generally accepted government auditing standards. Those standards require\n   that we plan and perform the audit to obtain sufficient, appropriate evidence to\n   provide a reasonable basis for our findings and conclusions based on our audit\n   objectives. We believe that the evidence obtained provides a reasonable basis for\n   our findings and conclusions based on our audit objectives.\n\n   We reviewed the general controls over SABRS provided by DFAS Kansas City.\n   Specifically, we analyzed the 2003 and 2006 security plans, intrusion detection\n   policies, software change request information, and related documentation. We\n   interviewed DFAS Kansas City personnel to determine what general controls\n   were in place over SABRS. We reviewed the FY 2005 FISMA report prepared\n   by DFAS.\n\n   We used the Government Accountability Office Federal Information System\n   Controls Audit Manual, January 1999, to develop the procedures performed\n   during this audit. At the beginning of the audit we provided a list of required audit\n   documentation needed to perform the audit work outlined in the Federal\n   Information Systems Control Audit Manual. We did not receive all the\n   documentation.\n\n   Our audit scope for general control testing was limited because not all\n   documentation was made available during the audit. SABRS PMO management\n   stated this information was not under their direct control and they did not provide\n   this information. We were unable to assess the adequacy of the following general\n   controls over SABRS:\n\n          \xe2\x80\xa2   security controls necessary to address the hiring, transferring,\n              termination, work performance requirements, and other personnel\n              issues;\n\n          \xe2\x80\xa2   controls to address the verification of appropriate training for\n              employees designated with specialized duties or advanced system\n              privileges;\n\n          \xe2\x80\xa2   controls necessary to determine whether system administrators can\n              identify all authorized users and their corresponding authorized access;\n\n          \xe2\x80\xa2   controls used for authorizing emergency and temporary access;\n\n          \xe2\x80\xa2   controls necessary to determine whether access to system data is\n              appropriate as determined by the data owner; and,\n\n\n                                        25\n\x0c       \xe2\x80\xa2   policies and controls necessary to segregate incompatible duties.\n\nWithout effective general controls, application controls may be circumvented or\nmodified. Based upon the magnitude of general control weaknesses, we did not\nperform audit work on the application controls within SABRS.\n\nUse of Computer-Processed Data. We did not use computer-processed data to\nperform this audit.\n\nGovernment Accountability Office High-Risk Area. The Government\nAccountability Office has identified several high-risk areas in DoD. This report\ncovers the protection of the Federal Government\xe2\x80\x99s information systems.\n\nNo prior coverage has been conducted on general controls over SABRS during\nthe last 5 years.\n\n\n\n\n                                    26\n\x0cAppendix B. Security Plan Comparison\nThe table below provides the areas of SABRS security plan noncompliance with DITSCAP and NIST. This is further detail of\nweaknesses identified in finding B.\n\n     DITSCAP and NIST                 Met                                                 Met\n       Requirements               Requirement                                         Requirement\n                                    in 2003?      Security Plan 2003 Explanation        in 2006?     Security Plan 2006 Explanation\nMISSION DESCRIPTION AND\nSYSTEM IDENTIFICATION\nSystem Description - Describe     No             Security relevant features were      No            Security relevant features were\nthe system focusing on the                       not addressed in security plan.                    not addressed in security plan.\ninformation security relevant\nfeatures of the system.\nSystem Criticality                No             The security plan labeled SABRS      No            The security plan labeled SABRS\n                                                 system criticality as a Mission                    system criticality as a Mission\n                                                 Assurance Category III system,                     Assurance Category III system,\n                                                 although the COOP delineated the                   although the COOP delineates the\n                                                 system as Priority 1.                              system is Priority 1.\nENVIRONMENT\nDESCRIPTION\nPhysical Security                 No             The security plan did not list       No            The security plan did not list\n                                                 physical security controls for                     physical security controls for\n                                                 Defense Enterprise Computing                       DFAS Kansas City.\n                                                 Center St. Louis.\nAdministrative Issues             No             The security plan did not list the   No            The security plan did not list the\n                                                 administrative security. For                       administrative security. For\n                                                 example, the separation of duties                  example, the separation of duties\n                                                 is not stated or explained.                        is not stated or explained.\n\n\n                                                              27\n\x0c     DITSCAP and NIST                Met                                                 Met\n       Requirements              Requirement                                         Requirement\n                                   in 2003?     Security Plan 2003 Explanation         in 2006?     Security Plan 2006 Explanation\nPersonnel                        Yes           The security plan stated the          No            The security plan did not state the\n                                               number and type of personnel                        number and type of personnel\n                                               required to operate and maintain                    required to operate and maintain\n                                               SABRS.                                              SABRS.\nThreat Description               No            The security plan does not            No            The security plan does not\n                                               describe the likelihood of threats                  describe the likelihood of threats\n                                               and how those threats are                           and how those threats are\n                                               mitigated.                                          mitigated.\nSYSTEM ARCHITECTURAL\nDESCRIPTION\nNational and DoD Security        Yes           The security plan lists applicable    No            The security plan did not list all\nRequirements                                   requirements.                                       applicable DoD and OMB\n                                                                                                   requirements.\nGoverning Security Requisites    No            The security plan did not stipulate   No            The security plan did not stipulate\n                                               the SABRS specific or DFAS                          the SABRS specific or DFAS\n                                               policies and procedures                             policies and procedures\nSecurity Concept of Operations   No            The security plan did not describe    No            The security plan did not describe\n                                               how the objectives of the security                  how the objectives of the security\n                                               concept of operations would be                      concept of operations would be\n                                               accomplished.                                       accomplished.\nNetwork Connection Rules         No            The security plan did not identify    No            The security plan did not identify\n                                               the network connection rules.                       the network connection rules.\nConfiguration and Change         No            The security plan did not identify    No            The security plan did not identify\nManagement Requirements                        the configuration and change                        the configuration and change\n                                               management requirements.                            management requirements.\nORGANIZATIONS AND\nRESOURCES\n\n\n                                                            28\n\x0c     DITSCAP and NIST                Met                                                Met\n       Requirements              Requirement                                        Requirement\n                                   in 2003?     Security Plan 2003 Explanation        in 2006?    Security Plan 2006 Explanation\nOrganizations                    Yes           The security plan identified other   No            The security plan did not identify\n                                               organizations and specific                         a DISA representative for the\n                                               individuals for the certification                  certification and accreditation\n                                               and accreditation process.                         process.\nResources                        No            All members of the certification     No            The security plan did not identify\n                                               and accreditation team were not                    a DISA representative for the\n                                               independent of the system                          certification and accreditation\n                                               developer or project manager.                      process.\nOther Supporting Organizations   Yes           The security plan identified other   No            The security plan did not identify\n                                               organization or working groups                     a DISA representative for the\n                                               that were supporting the                           certification and accreditation\n                                               certification and accreditation                    process.\n                                               process.\nDITSCAP PLAN\n\nInformation System               Yes           The security plan identified         No            The security plan provided details\ncharacteristics                                SABRS characteristics.                             of SABRS characteristics, but the\n                                                                                                  security level changed from 2003\n                                                                                                  to 2006 without an explanation\n                                                                                                  why this certification level was\n                                                                                                  changed.\nTasks and Milestones             No            The security plan did not identify   No            The security plan did not identify\n                                               tasks and milestones.                              who has the responsibility for the\n                                                                                                  activity and completion criteria\n                                                                                                  task.\nRoles and Responsibilities       No            The security plan did not identify   Yes           The security plan identified roles\n                                               roles and responsibilities.                        and responsibilities.\n\n\n                                                            29\n\x0c    DITSCAP and NIST         Met                                                Met\n      Requirements       Requirement                                        Requirement\n                           in 2003?     Security Plan 2003 Explanation        in 2006?     Security Plan 2006 Explanation\nAPPENDIX D: SYSTEM       No            The security plan did not describe   No            The security plan did not describe\nCONCEPT OF OPERATIONS                  how the SABRS operated.                            how the SABRS operated.\nAPPENDIX E:              No            The security plan did not identify   No            The security plan did not identify\nINFORMATION SYSTEM                     and describe the security policies                 and describe the security policies\nSECURITY POLICY                        of SABRS.                                          of SABRS.\nAPPENDIX F: SECURITY     No            The security plan did not identify   No            The security plan did not identify\nREQUIREMENTS AND/OR                    how SABRS was compliant with                       how SABRS was compliant with\nREQUIREMENTS                           security requirements.                             security requirements.\nTRACEABILITY MATRIX\nAPPENDIX H: SECURITY     No            The security plan did not            Yes           The security plan documented\nTEST AND EVALUATION                    document security test and                         security test and evaluation plan\nPLAN AND PROCEDURES                    evaluation plan and procedures or                  and procedures.\n                                       the results of that testing.\nAPPENDIX I: APPLICABLE   Yes           The security plan identified where   No            The security plan identified a\nSYSTEM DEVELOPMENT                     the system development artifacts                   letter that was supposed to\nARTIFACTS OR SYSTEM                    and system documents were                          identify a risk mitigation currently\nDOCUMENTS                              located.                                           in progress, but the letter was not\n                                                                                          there.\nAPPENDIX J: SYSTEM       No            The security plan did not identify   Yes           The security plan identified\nRULES OF BEHAVIOR                      any SABRS rules of behavior.                       SABRS rules of behavior.\nAPPENDIX K: INCIDENT     No            The security plan did not identify   No            The security plan did not identify\nRESPONSE PLAN                          monitoring for intrusions within                   monitoring for intrusions within\n                                       SABRS or investigating                             SABRS or investigating\n                                       intrusions.                                        intrusions.\n\n\n\n\n                                                    30\n\x0c     DITSCAP and NIST           Met                                                Met\n       Requirements         Requirement                                        Requirement\n                              in 2003?     Security Plan 2003 Explanation        in 2006?     Security Plan 2006 Explanation\nAPPENDIX M: PERSONNEL       No            The security plan did not address    No            The security plan did not address\nCONTROLS AND                              the personnel and technical                        the personnel and technical\nTECHNICAL SECURITY                        security controls for SABRS.                       security controls for SABRS.\nCONTROLS\nAPPENDIX N: MOA -           No            The security plan did not include    Yes           The security plan identified MOA\nSYSTEM INTERCONNECT                       MOA and interconnection                            and interconnection agreements.\nAGREEMENTS                                agreements.\nAPPENDIX O: SECURITY        No            The security plan did not identify   No            The security plan did not identify\nEDUCATION, TRAINING,                      security education, training, and                  how the security education,\nAND AWARENESS PLAN                        awareness plans.                                   training, and awareness were to be\n                                                                                             accomplished.\nAPPENDIX Q: RESIDUAL    No                The security plan did not identify   No            The security plan did not identify\nRISK ASSESSMENT RESULTS                   residual risk assessment results.                  residual risk assessment results.\n\n\nADDITIONAL NIST\nREQUIREMENTS DITSCAP\nDOES NOT REQUIRE\n\n\nAssignment of Security      No            The security plan did not assign     No            The security plan did not assign\nResponsibility                            security responsibilities.                         security responsibilities.\nData Integrity/Validation   No            The security plan did not identify   No            The security plan did not identify\nControls                                  data integrity or data validation                  data integrity or data validation\n                                          controls.                                          controls.\nMAJOR APPLICATIONS-\nTECHNICAL CONTROLS\n\n\n\n                                                       31\n\x0c     DITSCAP and NIST                   Met                                                Met\n       Requirements                 Requirement                                        Requirement\n                                      in 2003?     Security Plan 2003 Explanation        in 2006?     Security Plan 2006 Explanation\nIdentification and Authentication   No            The security plan did not identify   No            The security plan did not identify\n                                                  the identification and                             the identification and\n                                                  authentication controls used by                    authentication controls used by\n                                                  SABRS.                                             SABRS.\nAudit Trails                        No            The security plan did not identify   Yes           The security plan identified the\n                                                  the audit trails for SABRS.                        audit trails for SABRS.\n\n\n\n\n                                                               32\n\x0cAppendix C. Report Distribution\n\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\n\n\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\nDirector, Office of Financial Operations, ASN (FM&C)\nAssistant Deputy Commandant for Programs and Resources (Fiscal), United States\n   Marine Corps\n\n\n\nOther Defense Organizations\nDirector, Defense Finance and Accounting Service\nChief Information Officer, Defense Finance and Accounting Service\nCentral Site Director, Defense Finance and Accounting Service Kansas City\n\n\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\n\n\n\n                                          33\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\n Senate Committee on Appropriations\n Senate Subcommittee on Defense, Committee on Appropriations\n Senate Committee on Armed Services\n Senate Committee on Homeland Security and Governmental Affairs\n House Committee on Appropriations\n House Subcommittee on Defense, Committee on Appropriations\n House Committee on Armed Services\n House Committee on Oversight and Government Reform\n House Subcommittee on Government Management, Organization, and Procurement,\n Committee on Oversight and Government Reform\n House Subcommittee on National Security and Foreign Affairs, Committee on\n Oversight and Government Reform\n\n\n\n\n                                     34\n\x0cDefense Finance and Accounting Service\nComments\n\n\n\n\n                      35\n\x0c36\n\x0c37\n\x0c38\n\x0c39\n\x0c40\n\x0c41\n\x0c42\n\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nDefense Financial Auditing Service prepared this report. Personnel of the\nDepartment of Defense Office of Inspector General who contributed to the report\nare listed below.\n\nPaul J. Granetto\nPatricia A. Marsh\nEdward A. Blair\nCecelia M. Ball\nMichael Adams\nBeverly Smythe\nDenny Moore\nCassondra Lane\nErin Hart\n\x0c\x0c"